Описание
Undertow MadeYouReset HTTP/2 DDoS Vulnerability
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-9784
- https://github.com/undertow-io/undertow/pull/1778
- https://github.com/undertow-io/undertow/pull/1802
- https://github.com/undertow-io/undertow/pull/1803
- https://github.com/undertow-io/undertow/pull/1804
- https://github.com/undertow-io/undertow/pull/1805
- https://access.redhat.com/security/cve/CVE-2025-9784
- https://bugzilla.redhat.com/show_bug.cgi?id=2392306
- https://issues.redhat.com/browse/UNDERTOW-2598
Пакеты
io.undertow:undertow-core
< 2.2.38.Final
2.2.38.Final
io.undertow:undertow-core
>= 2.3.0.Alpha1, < 2.3.20.Final
2.3.20.Final
Связанные уязвимости
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
A flaw was found in Undertow where malformed client requests can trigg ...